problem with nginx to rsysog

classic Classic list List threaded Threaded
4 messages Options
Luv
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

problem with nginx to rsysog

Luv
I am trying to send logs to rsyslog via nginx, but it seems that it is not being sent.

here is the nginx conf, I have defined a custom log format,

    log_format rsyslog '$remote_addr - $remote_user [$time_iso8601] "$request "'
        '$status $body_bytes_sent "$http_referer" '
        '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/api_access.log rsyslog;
    access_log syslog:server=localhost:514 rsyslog;
    error_log /var/log/nginx/api_error.log debug;

I am storing these logs in file also, and sending to rsyslog also.

    alphauser@AlphaServer:/etc/rsyslog.d$ sudo netstat -nulp | grep 514
    udp        0      0 0.0.0.0:514             0.0.0.0:*                           41335/rsyslogd  
    udp6       0      0 :::514                  :::*                                41335/rsyslogd  

The rsyslog udp port 514 is open.

Here is the rsyslog configuration,

    template(name="all-json-nginx"
        type="list"){
       constant(value="{ ")
       constant(value="\"level\":\"")
       property(name="syslogseverity-text")
       constant(value="\", ")
       constant(value="\"type\":\"")
       property(name="programname")
       constant(value="\", ")
       constant(value="\"from\":\"")
       property(name="hostname")
       constant(value="\", ")
     property(name="$!all-json" position.from="2")
     }


    if $syslogtag == 'nginx' then {
    action(type="mmnormalize"
      rulebase="/opt/rsyslog/nginx-logs.rb"
    )

    action(type="omelasticsearch"
      template="all-json-nginx"  # use the template defined earlier
      searchIndex="nginx-logs-alpha"
      searchType="nginx"
      server="xx.xx.xx.xx"
      serverport="9200"
      uid="****"
      pwd="****"
      bulkmode="on"  # use the bulk API
      action.resumeretrycount="-1"  # retry indefinitely if Elasticsearch is unreachable
    )
    }
    else {
       action( name="all-logs-alpha"
       type="omelasticsearch"
       server="xx.xx.xx.xx"
       serverport="9200"
       searchIndex="all-logs-alpha"
       uid="****"
       pwd="****"
       bulkmode="on"
       action.resumeretrycount="-1")

    }

1 - The thing is that nginx logs are being written to the file, but are not being sent to the rsyslog.

2 - The rsyslog config is right, as I see no error in rsyslog status, and logs are being sent to the elasticsearch in "all-logs-alpha"  index.

I am running rsyslog by `$ rsyslogd -dn` command, and I dont see any error and no mention of nginx at all

Also, I have tested this whole setup on my local machine and it works well, but is causing issues on my server.

What is the possible issue here and how can it be solved?
Luv
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with nginx to rsysog

Luv
I see this during debugging,

1781.308284937:main Q:Reg/w0  : PROPFILT condition result is 0
1781.308305337:main Q:Reg/w0  :     PROPFILT
1781.308356437:main Q:Reg/w0  :     Property.: 'syslogtag'
1781.308405837:main Q:Reg/w0  :     Operation: 'isequal'
1781.308465837:main Q:Reg/w0  :     Value....: '[CLOUDINIT]'
1781.308543937:main Q:Reg/w0  : Filter: check for property 'syslogtag' (value 'CRON[43496]:') isequal '[CLOUDINIT]': FALSE
1781.308577037:main Q:Reg/w0  : PROPFILT condition result is 0
 


 and this


1781.300664930:main Q:Reg/w0  : PRIFILT condition result is 0
1781.300685530:main Q:Reg/w0  :     IF
1781.300853431:main Q:Reg/w0  :         var 'syslogtag'
1781.300912831:main Q:Reg/w0  :       ==
1781.300960531:main Q:Reg/w0  :         string 'nginx'
1781.301031331:main Q:Reg/w0  : eval expr 0x2644b80, type 'CMP_EQ'
1781.301050631:main Q:Reg/w0  : eval expr 0x265c630, type 'V'
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with nginx to rsysog

David Lang
what do the logs look like in the file (I suspect the format is bad).

try logging in rsyslog with the format RSYSLOG_DebugFormat and see what shows
up.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Luv
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with nginx to rsysog

Luv
Apologies for this post.

It was due to an outdated version of nginx.
i updated it and it works very well  now.
Loading...